Netconf has always been a bit buggy. I found this out trying to get it to setup
multiple IPs. The only thing reliable is to do it
yourself.
Seve
-----Original Message-----
From: Civileme <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Thursday, June 29, 2000 1:09 PM
Subject: Re: [expert] REPOST: BUG in netconf
>Bill Shirley wrote:
>
>>
>>
>> Did anyone understand my posting? Did anyone at
>> Mandrake verify this problem? Am I on track here, or
>> totally ignorant of how ipchains works?
>>
>> (Pffft, pffft, is this thing working? Testing, one,
>> two, three. Testing.)
>>
>>
>------------------------------------------------------------------------------------------------------------
>>
>> There is a bug in netconf. Please follow the
>> description of the problem below.
>> I want to forward traffic between my two subnets,
>> 192.168.1.0/24 (subnetA) and 192.168.2.0/24
>> (subnetB). Also, I want to masquerade subnetA to the
>> internet.
>>
>> When I enter the rules into linuxconf
>> (/networking/firewalling/forward firewalling) I
>> should enter the forward rule between subnetA and
>> subnetB before (using the weight option) the
>> masquerading rule. If I don't then traffic between
>> the two subnets will be masqueraded instead of
>> forwarded.
>>
>> However, if I only enter a single non-masq rule
>> between subnetB and subnetA marked as bi-directional
>> (weighted 20) and a single masq rule between subnetA
>> and 0.0.0.0/0.0.0.0 marked as bi-directional
>> (weighted 50) then the output is incorrect. I get:
>>
>> [root@server1 etc]# ipchains -L forward -n
>> Chain forward (policy DENY):
>> target prot opt source destination ports
>> ACCEPT all ------ 192.168.2.0/24 192.168.1.0/24 n/a
>> MASQ all ------ 192.168.1.0/24 0.0.0.0/0.0.0.0 n/a
>> ACCEPT all ------ 192.168.1.0/24 192.168.2.0/24 n/a
>> As you can see, traffic from subnetB to subnetA will
>> be forwarded. But, traffic from subnetA to subnetB
>> will be masqueraded instead of forwarded. Rule #3
>> will never be used. To get the correct functionality,
>> I need two serperate non-bidirectional rules.
>>
>> subnetA ---> subnetB non-masq non-bi-directional
>> weight 20
>> subnetB ---> subnetA non-masq non-bi-directional
>> weight 20
>> subnetA <-> internet masq bi-directional weight 50
>> Linuxconf/netconf must not be using the ipchains -b
>> flag when it creates the rules. It seems to be using
>> a second pass of the rules to implement the
>> bi-directional feature resulting in the output being
>> in incorrect order. Yes, I know the work-around
>> (create two non bi-directional rules) but will the
>> new linux users?
>>
>> Bill
>>
>>
>>
>
>Mmmm, new to me. I use masquerading and forwarding
>from ipchains without netconf/linuxconf, writing my own
>script... I looked at it just now--didn't even know it
>was there til then. I think this one might be a good
>one for a bug report.
>
>Civileme
>
>
>
>
